I was not able to find the original author for the quote “The attacker can exploit just one vulnerability to get in, while the defender needs to protect all ways in.” This line of thinking has long been used to sow depression and lower the morale of aspiring security professionals, tasked with protecting the enterprise IT environments and information. Furthermore, the ever-increasing complexity of our environments (adding cloud and mobile, while keeping mainframes and Windows XP) made the list of said “ways in” so much longer and thus the depression so much deeper. “More furthermore”, as millions new devices are connected and as organizations lose track of what is connected to what and what data moves where, the challenges with network defense look more and more daunting…

All of this hints at a hypothetical “Attacker’s Advantage” that affects security planning and architecture (defense in depth, layers, etc), risk management, threat assessment, monoculture thinking (example), etc. Of course, the same line of thinking made attackers [and pentesters] rejoice and have another beer at the expense of defenders everywhere

So, are we f*cked or what?

At this point, let’s briefly leave the cyber domain and visit the domain of warfare. Here, the long-quoted line is about the defender to attacker 3:1 force advantage which means that the defending force of 100 will be able to hold a force of 300 at bay (with some assumptions in place, of course). The entire 5000+ year history of warfare, teaches us about the unambiguous defender’s advantage. After all, defenders know the terrain and build the defenses on it [and thus know them even better], have a chance to prepare the plans and the armaments, train the troops in place – clearly that confers a non-trivial advantage to the defending side.

Where is the “Defender’s Advantage” in information / cyber security? I think it DOES EXIST, but many organizations choose to squander it. In theory, defenders should have the advantage because they control the terrain, but sadly, there are cases where the incoming attacker knows the locations of sensitive data better than the defenders, tasked with protecting that data (“… but we were planning that DLP data discovery deployment for 2015” – “guess what? the attacker owned your domain and then scanned all your servers for sensitive data. oops!”). Defender’s advantage here also stems from knowing the terrain [=your IT environment], building defenses [=such as monitoring] as well as planning for battle [=having IR plans and procedures].

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Good post Anton. By applying an intelligence-driven defense model (http://j.mp/1uNAn4L), attackers are actually at a disadvantage. All their behaviors, hacking tools, etc are used to detect their presence and prioritize hardening priorities. An attacker would literally have to reinvent their TTPs and human habits to pull off an attack successfully.

Usage of DECOY network systems enables the defenders to identify the progress of the attackers and to make decisions whether the attack should be mitigated immediately or it is better to collect intelligence on the attacker’s methods and goals.

>By applying an intelligence-driven defense model
>(http://j.mp/1uNAn4L), attackers are actually at a disadvantage

Sure, of course – an excellent point indeed. The problem? Very, very, very few people actually get it operationally [I mean ‘get it beyond rattling off the words “kill chain”‘ :-(], and in fact even conceptually…

Hi Anton,
Great Entry. I really like utilizing the knowledge that mankind had gathered over centuries and millennia (such as warfare) to young domains (in that case, cyber warfare).
I think that one of the reasons that we talk about “attacker advantage” in cyber warfare and not the “defender advantage” is because of the defensive side defines the wrong goals and as a result it invests in the wrong places.
If you define that your goal is to stop the adversary at the gate, you are very likely to lose, as the adversary has the advantage of surprise and can choose where and when to hit you. To eliminate the advantage of surprise, a smart defense strategy must use the depth element and contain the invaders until other forces arrive.
In the cyber warfare that means to shift the focus from the protection of the endpoint, to the protection of the data center. Even if an endpoint is breached, it’s not the end of the world. But it’s very important to contain the intruder from moving deeper into your network and steal your critical data from the data center.

>one of the reasons that we talk about “attacker advantage” in cyber
>warfare and not the “defender advantage” is because of the defensive
>side defines the wrong goals and as a result it invests in the wrong
>places.

This does make sense – plenty of defenders define goals as “be secure” (ie presumably “never hacked”); I guess the warfare copy of that would be “never be attacked”

About

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.